Five things:

1. Your account — name, email, hashed password, optional photo / phone.
2. The documents you upload or generate, plus who uploaded them and when.
3. What you type into the agent — every prompt and every reply in your sessions.
4. How SDI runs — rate-limit counters, audit log of consequential changes.
5. Chat archives — if an admin imports a WhatsApp export, every message in it.

We don't track you beyond what you send us. No ad cookies, no device fingerprinting.

• Supabase (EU-hosted) — account details, document metadata, agent sessions, audit logs.
• GitHub — the actual text of each document, in a private repo.
• Anthropic (Claude) — when the app generates, translates, classifies, or runs the agent. Enterprise tier: no training on our data, no retention.
• Voyage AI (optional) — for semantic-search embeddings. Same posture.
• Resend — for outgoing email (notifications, magic links).
• Upstash — counters only, no content.

• Your documents are visible to members of your organisation.
• Other cooperatives on SDI cannot see your documents — and can't see that they exist.
• Your agent sessions are private to you. Platform admins can read them for support only.
• Confidential-marked docs display a lock and are meant for editors + org-admins.
• The audit log is platform-admins only.

When the app uses Claude (generate, agent, translate, classify, entity extraction), it sends:

• Your prompt.
• House principles (rules every call must follow).
• The relevant document bodies — truncated, up to about 30 000 characters per call.

It does not send: your password, email, phone, photo, documents outside your scope, other people's sessions, or audit logs.

• Documents — indefinitely. Replaced versions are archived, still findable. Permanent deletion on request.
• Agent sessions — until you delete them.
• Rate-limit counters — minutes.
• Backups — Supabase keeps daily backups for 7 days (or longer on higher tiers).
• Audit log — indefinitely, so we can always answer "who changed this".

• Look — your Account page + the Index show what's attributed to you.
• Correct — edit your profile; edit doc metadata in the Index.
• Delete — ask an admin to delete your account. Documents you authored stay (they belong to the coop), but your name is detached.
• Move — document bodies are plain markdown in a repo; an export is a git clone. Ask an admin for access.
• Object — contact the coop if you think something is being handled wrongly.

• Data controller: Cooperativa Integral Sulitania CRL (Castro Marim, Portugal).
• Platform admins — small group; see all orgs, read sessions for support only.
• Third parties — Supabase, Anthropic, Voyage, Resend, Upstash, GitHub. See above.

• Day-to-day questions — ask an admin in SDI.
• Formal data requests — email address on the /policy page.
• Something went wrong — tell an admin immediately; breaches are reported to authorities within 72 hours.